Xerox and Information Security Keeping your data safe and secure so you can focus on what matters most: your business. BR5329 SECPA-01UB Overview Is security Are you worried on your about mind? yoursecurity MFPs the data being onof the the your weak device? data linktransferred on your network? over the At Xerox, we help protect your data at every potential point of network? vulnerability so you don’t have to. We know that by staying focused on what we do best, you can stay focused on what you do best. 2 Xerox® Security Goals We’ve identified five key goals in our quest to provide secure solutions to every one of our customers: Confidentiality Integrity Availability Accountability Non-repudiation • No unauthorized disclosure of data during processing, transmission or storage • No unauthorized alteration of data • System works properly • System performs as intended, free from unauthorized manipulation • No denial of service for authorized users • Actions of an entity can be traced directly to that entity • Mutual assurance that the authenticity and integrity of network communications are maintained 3 • Protection against unauthorized use of the system Security Vulnerabilities: Industry Risks and Costs Businesses of all sizes have sensitive information that is valuable to cybercriminals and that must be protected. However, the threat landscape is changing constantly. Cybercriminals are now focusing their attention on smalland mid-sized businesses (SMBs), because they are easier targets than large, multinational corporations. • The average organizational cost of a data breach in 2011 was $5.5 million.* • Total breach costs have grown every year since 2006.* • Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5%) from 2009.* *“2010 Annual Study: US Cost of a Data Breach.” The Ponemon Institute, LLC, March 2011. 4 Security Vulnerabilities: Industry Risks and Costs Who’s at risk? 5 Security Vulnerabilities: Industry Risks and Costs Healthcare The need to share important medical data and patient information electronically makes security a major concern. • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Health Information Technology for Economic and Clinical Health (HITECH) Act Government Strict regulations are in place to ensure the information being shared is safe and secure. • Federal Information Security Management Act of 2002 (FISMA) Financial Services Direct deposit, online banking, debit cards and other advances in information technology are revolutionizing the financial services industry. Though more convenient for both customers and businesses, this heavy use of technology has its own set of security concerns. Education Transcript requests, financial aid applications and even class notes can all be found online. Because some schools have their own medical centers, they also have to store and share medical information electronically. This interactive environment enhances the student experience and improves staff productivity, but it also makes schools susceptible to security threats. 6 The Xerox® Security Model Strategy • State-of-the-art Security Features Xerox offers the broadest range of security functionality on the market, including: – Encryption – Authentication – Authorization per User – Auditing • Certification – 15408 Common Criteria for Information Technology Security Evaluation • Maintenance – Software updates being issued on an ongoing basis – RSS feed for notification when new security bulletins are released – Response to identified vulnerabilities – Patches available at www.xerox.com/security – Secure installation and operation – Common Criteria information 7 Unrivaled Security for Total Peace of Mind Devices Visible to IT Compliance Xerox MFPs meet key government and industry security standards, e.g., Common Criteria and HIPAA. Data on the Network Secure data transmission with IPsec, HTTPS,SNMPv3, sFTP and encrypted email. Device Access Prevents general access to restricted devices with rolebased user access and firewall on printer. Data Protection Keep personal and confidential information safe with encrypted hard disk (AES 256-bit FIPS 140-2 validated) and image overwrite. Auditing and Tracking Track access and attempted access to the device, including comprehensive audit logs and confirmation reports. Malware Protection Protect your data and device from malicious intrusions with Whitelisting. 8 Risk Management Proactive ongoing vulnerability assessment – keeps a close eye on emerging threats and the latest risks. Policy Management Complete visibility into network and policy management includes user identification, provisioning and audit logs. 0101 0 1 0 1 0 0101 1 0 1 0 1 0101010101010101010101010101010101010101 0 0101 1 0 1 0 1 0101 0 Keeping the Device and Data Protected Device Access • Network Authentication • Microsoft Active Directory Services • LDAP Authentication • SMTP Authentication • POP3 Authentication before SMTP • Role Based Access Control (RBAC) • Print User Permissions • Smart Card Authentication • Secure Access 9 Print User Permissions Smart Card Authentication Secure Role Based Access Assess Control (RBAC) Non-logged-in User / Logged-in User System Administrator Accounting Administrator Keeping the Device and Data Protected Document Protection • Encrypted PDF / Password-protected PDF • Fax Forwarding to Email and Network • Fax Destination Confirmation • Digital Signatures • Secure Watermarks • User/Time/Date Stamp • Secure Print 10 Secure Print Keeping the Device and Data Protected Data Security • Hard Disk Encryption • Image Overwrite • Volatile and Non-volatile Memory • Secure Fax • S/MIME for Scan to Email • Scan to Email Encryption • Job Log Conceal • Hard Disk Retention Offering • PostScript Passwords 11 Image Overwrite Hard Disk Encryption Keeping the Device and Data Protected Audit Tracking • Audit Log The Audit Log interface is accessed from a System Administrator’s workstation using any standard web browser. 12 The log can then be exported into a .txt file, and then opened in Microsoft® Excel®. Keeping the Device and Data Protected Malware Protection • Embedded McAfee Agent • McAfee’s ePolicy Orchestrator (ePO) • McAfee Integrity Control Alerts • Xerox Management Tools Normal usage • Known users • Approved software Known files and software Attacks • Unknown users • Malicious acts • Polymorphic zero-day attacks 13 • Email • McAfee ePO Whitelisting technology allows only approved software to run Unknown files and software Keeping Data on the Network Protected Network Security • Secure Sockets Layer / Transport Layer Security (SSL/TLS) • IPsec Encryption • Network Ports On/Off • Digital Certificates • SNMPv3 • SNMP Community String • 802.1X Authentication • Firewall • Fax and Network Separation • IP Address Filtering 14 IP Address 802.1X Authentication Filtering Keeping Data on the Network Protected Policy Management Policy Management with Cisco TrustSec® • Protects your printing assets by enforcing security policies centrally at the network level • Ensures only authorized role-based access to the printers • Detection of unauthorized printers on network—only allows approved MFPs and printers to be deployed • Anti-spoofing capabilities by profiling devices 15 Xerox Risk Assessment and Mitigation Proactive Security for Emergent Threats • Keep a close eye on the latest risks • Issue security bulletins • Distribute RSS feeds • Provide you with a wealth of information Xerox® Security Bulletins and Patch Deployment Visit www.xerox.com/security for timely information updates and important resources. 16 Regulatory and Policy Compliance • Payment Card Industry (PCI) Data Security Standards (2006) • Sarbanes-Oxley • Basel II Framework • The Health Insurance Portability and Accountability Act (HIPAA) • E-Privacy Directive (2002/58/EC) • Gramm-Leach-Bliley Act • Family Educational Rights and Privacy Act • The Health Information Technology for Economic and Clinical Health Act • Dodd-Frank Wall Street Reform and Consumer Protection Act • ISO-15408 Common Criteria for Information Technology Security Evaluation • ISO-27001 Information Security Management System Standards • Control Objectives for Information and Related Technology • Statement on Auditing Standards No. 70 17 Common Criteria Evaluation Independent, objective validation of the reliability, quality, and trustworthiness of IT products Achieving Common Criteria Certification • Rigorous process • Product testing by a third party laboratory that has been accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) 18 Common Criteria Certification Xerox® ColorQube® 8700*/8900* (undergoing evaluation) Xerox® WorkCentre® 4250/4260 WorkCentre 7200 Series* (undergoing evaluation) WorkCentre 5150 WorkCentre 5800 Series (undergoing evaluation) Xerox® D95/D110/D125 Copier/Printer Xerox® ColorQube 9300 Series (undergoing evaluation) Xerox® Color 550/560 Printer WorkCentre 7775 (undergoing evaluation) WorkCentre 7800 Series (undergoing evaluation) WorkCentre 5300 Series *ColorQube 8700 and 8900 with ConnectKey Controller will be available Q2 2013 19 Manufacturing and Supplier Security Practices EICC Code of Conduct • Demonstrates stringent oversight of their manufacturing processes. On-site audits Ensures integrity of the process all the way down to the component level. European Commission Taxation and Customs Union • Facilitates trade • Protects the interests of the European Union and its citizens. 20 Customs Security Program – membership pending Manufacturing and Supplier Security Practices US Customer Agency Trade Partnership Against Terrorism • Within North America, all trailers moving between the factory, product distribution centers and Carrier Logistics Centers are sealed at the point of origin. • All trucks have GPS locators installed and are continuously monitored. 21 US Customs Trade Partnership Against Terrorism Product Returns and Disposals 1. Trade removal is picked up from customer location by a Xerox® authorized and trained Carrier. 2. Unit is returned on a Xerox® dedicated truck network back to a Xerox® facility, contracted remarketer or taken to local scrap yard using a selected carrier. 3. If the machine has outlasted its useful life in sum or in whole, the machine is crushed and sent to a Xerox® contracted recycler. 4. Otherwise, machine is sanitized to DoD standards prior to remanufacture or resale. 5. Recycler shreds the compacted units and separates pieces into raw material categories (plastics, metals, glass, etc.) 6. Raw material is recycled (99.4% landfill avoidance), reducing environmental impacts. 22 Summary Xerox® MFPs lead the industry. Xerox continues to engineer and design all of its products to ensure the highestpossible level of security at all potential points of vulnerability. For more information about the many security advantages offered by Xerox, visit our security website, www.xerox.com/security. At Xerox, we work hard at keeping your data safe and secure so you can focus on what matters most: your business 23 Security Checklist 24 IP/MAC Address Filtering IPsec Encryption IPv6 802.1X Authentication Secure Print Scan to Email Encryption Encrypted PDF/Password-protected PDF Digital Signatures “256-bit AES” Hard Disk Encryption Image Overwrite Secure Fax Port Blocking Scan to Mailbox Password Protection Hard Disk Retention Offering Print Restrictions Audit Log Role Based Access Control Smart Card Authentication Common Access Card / Personal Identity Verification User Permissions Secure Access “Full System” Common Criteria Certification Integration with Standard Network Management Tools Security updates via RSS feeds Embedded McAfee McAfee Integrity Control Cisco® TrustSec® Inegration McAfee ePolicy Orchestrator Integration